VIBE CODED.
VIBE HARDENED.®

Main command. Scores your repo 0–100 with A–F grade. 74 rules covering hardcoded keys, SQL injection, missing auth on routes, CORS, Supabase RLS, eval(req.body), localStorage tokens, weak bcrypt rounds, and packages LLMs hallucinate.

Scan only files in git diff. Without a ref: vs HEAD. With a ref like origin/main: 3-dot diff for PR-mode CI scans. 10× faster on large repos.

Hits each leaked key against the real provider API. 9 providers. Tells you which are still live vs. revoked. --own is a seatbelt that refuses to probe keys you have not claimed.

Prints copy-paste-able diffs that swap inline keys for process.env.X plus an .env.example stub. Console-only. Never modifies your files.

Brutalist mode. Neutral rule messages become dry one-liners. Console only — JSON / HTML output stays professional for CI artifacts.

Detailed docs for any rule: severity, what it detects, why it matters, how to fix. Covers every shipped rule ID. Docs in your terminal — no browser needed.

Outputs an SVG you can embed in your README to show the repo current security score. Live-updating when paired with a scheduled CI run.

Hand-tuned for v0 exports, Cursor loops, Lovable scaffolds, Bolt scaffolds, and Claude Code diffs. Knows what each tends to miss — and won't complain about what they get right.

Detects Next.js, Supabase, tRPC, Prisma, Drizzle, Convex, Vercel, Netlify. Runs only the rules that apply to your stack, so scans stay under 5 seconds on average repos.

Finds candidate keys in your git history, probes their provider endpoints, and tells you which ones are still live. Not a grep — a phone call.

New in 0.4.0. Statically scans skill files for Cursor, Claude Code, OpenClaw, Hermes, Gemini CLI, Goose, and 4 other agent platforms. Catches hardcoded keys, prompt injection, dangerous shell, MCP misconfigs — before the agent loads them.